Installing a Private Certificate Authority (CA) on Ubuntu 22.04 – An Explanatory Guide
In this guide, you will learn how to set up and manage a private Certificate Authority (CA)** using **Easy-RSA on Ubuntu 22.04.
Every command, every file, every step is annotated.
Private CAs; VPN provides reliable authentication to internal network services, staging environments, and closed systems.
Main Steps
- Easy-RSA installation
- Creating the PKI directory
- Creating the CA root certificate
- Distributing the ca.crt file
- (Optional) CSR signing
- (Optional) Certificate revocation and CRL generation
🔑 Private Certificate Authority (CA) Setup Steps
The CA server should be used only for certificate issuance and revocation.
It should be kept offline if possible for additional security.
1. Easy-RSA Setup
Update package list:
sudo apt update
➡️ This command refreshes the list of packages in the repositories.
Install Easy-RSA:
sudo apt install easy-rsa
➡️ Installs the necessary scripts for CA management.
2. Preparation of PKI Directory
Create easy-rsa directory:
mkdir ~/easy-rsa
➡️ The PKI directory where all CA files will be managed is created.
Add symlink to Easy-RSA scripts:
ln -s /usr/share/easy-rsa/* ~/easy-rsa/
➡️ If the package is updated, the scripts are automatically updated.
Restrict directory permissions:
chmod 700 ~/easy-rsa
➡️ Only the owner can access this directory. It is essential for security.
Initialize the PKI directory structure:
cd ~/easy-rsa
./easyrsa init-pki
➡️ Creates the necessary folder and file structure for PKI.
3. Creating the CA Root Certificate
Edit the vars file:
nano vars
➡️ Organizational information required for CA is kept here.
Fill it with the following content:
set_var EASYRSA_REQ_COUNTRY "TR"
set_var EASYRSA_REQ_PROVINCE "Istanbul"
set_var EASYRSA_REQ_CITY "Kadikoy"
set_var EASYRSA_REQ_ORG "GenixNodeCloud"
set_var EASYRSA_REQ_EMAIL "admin@ornek.com"
set_var EASYRSA_REQ_OU "Teknik"
set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"
➡️ This information is processed into the CA root certificate.
Generate the CA root certificate and private key:
./easyrsa build-ca
➡️ CA consists of two most critical files: ca.key (secret) and ca.crt (public).
If you want it without a password:
./easyrsa build-ca nopass
📌 Important Files (CA Structure)
The following two files are the heart of the Certificate Authority (CA) you created.
One is given to everyone, the other is never given to anyone.
| File Path | Description |
|---|---|
| pki/ca.crt | It is the CA's public root certificate. This file is distributed so that clients and servers can trust the CA. This is the file added to the trusted Root CA store. |
| pki/private/ca.key | It is the private key of CA. Certificates are signed with this key. Its capture would collapse the entire infrastructure. Absolutely not shared, backed up and stored offline. |
4. Distributing the CA Certificate to Other Systems
View the CA public certificate:
cat ~/easy-rsa/pki/ca.crt
➡️ Copy all content including BEGIN and END lines.
Create file on second Linux system:
nano /tmp/ca.crt
➡️ Paste the certificate you copied here.
Adding to the Ubuntu/Debian certificate store:
sudo cp /tmp/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
➡️ A system-wide trusted root certificate is made.
For RHEL/Fedora/CentOS:
sudo cp /tmp/ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
5. (Optional) CSR Creation and Signing
This step is required for VPN, web server, API or internal service.
Install OpenSSL:
sudo apt install openssl
Generate private key:
mkdir ~/test-csr && cd ~/test-csr
openssl genrsa -out genixnode-sunucu.key
➡️ The server's private key.
Create CSR file:
openssl req -new -key genixnode-sunucu.key -out genixnode-sunucu.req -subj \
"/C=TR/ST=Istanbul/L=Kadikoy/O=GenixNodeCloud/OU=Teknik/CN=genixnode-sunucu"
➡️ Certificate request to be signed by the CA.
Send CSR to CA server:
scp genixnode-sunucu.req user@CA_IP:/tmp/
Signing CSR on CA Server
Import CSR:
cd ~/easy-rsa
./easyrsa import-req /tmp/genixnode-sunucu.req genixnode-sunucu
➡️ CA recognizes this request.
Sign the certificate:
./easyrsa sign-req server genixnode-sunucu
You need to write ➡️ yes.
Return the signed certificate:
scp pki/issued/genixnode-sunucu.crt user@server:/tmp
scp pki/ca.crt user@server:/tmp
6. (Optional) Certificate Revocation (Revoke) + CRL Creation
Revoke the certificate:
./easyrsa revoke genixnode-sunucu
➡️ The relevant certificate now becomes invalid.
Create CRL (Certificate Revocation List):
./easyrsa gen-crl
➡️ The crl.pem file containing all revoked certificates is created.
Deploy CRL:
scp ~/easy-rsa/pki/crl.pem user@server:/tmp
➡️ Services use this list to reject revoked certificates.
❓ Frequently Asked Questions (FAQ)
1. Why should CA be kept offline?
If the CA's private key is compromised, the entire chain of trust collapses. So the CA should only be opened during signing.
2. Why is ca.crt given to everyone?
This is a public root certificate. It does not contain confidential information.
3. What is CSR?
An encrypted request sent by a server or client to request a certificate from a CA.
4. What does CRL do?
Lists revoked certificates. Servers check this list.
5. My CA key was stolen, what happens?
You lose all infrastructure security. You must install a new CA.
🎯 Result
With these steps you have set up a fully functional Certificate Authority on Ubuntu 22.04. You can now generate, revoke and manage trusted certificates for all services on your own network.
You can immediately implement this structure in your isolated Virtual Instances on GenixNode.